There is a new buzzword in the business world, or rather buzz abbreviation. GRC -- or governance, risk management and compliance -- has invaded the language of consultants (including the major accounting firms), analysts such as Gartner and Forrester Research, and software vendors. Increasingly, it is an abbreviation used in the executive suite and boardroom. Unfortunately, there is no single, commonly accepted definition of GRC.
The Best Definition of GRC
Last October, I attended a GRC summit and was astonished that every single presenter had a different definition of GRC. I counted about 22. Personally, I prefer the Open Compliance and Ethics Group’s (OCEG’s) definition. It has credibility because it was written by a team composed of not only consultants and software vendors, but also risk, compliance, legal, internal audit and other practitioners from OCEG member organizations.
In its GRC Capability Model, Red Book, 2.0 (April 2009), OCEG defines GRC as a “system of people, processes, and technology that enables an organization to:
- Understand and prioritize stakeholder expectations.
- Set business objectives that are congruent with values and risks.
- Achieve objectives while optimizing risk profile and protecting value.
- Operate within legal, contractual, internal, social, and ethical boundaries.
- Provide relevant, reliable, and timely information to appropriate stakeholders.
- Enable the measurement of the performance and effectiveness of the system.”
The definition can perhaps best be summarized as how an organization understands stakeholder expectations and then directs and manages activities to maximize performance against those expectations, while managing risks and complying with applicable laws, regulations and obligations.
GRC Functions and Processes
GRC processes are extensive, ranging from the activities of the board and executive management, through strategy setting, performance management, risk management and financial reporting, and including internal controls and IT security. OCEG’s list of functions and processes that are typically included in GRC makes this very clear:
- Strategy and business performance management
- Risk management
- Internal control
- Corporate security
- Business ethics
- Sustainability and corporate social responsibility
- Quality management
- Human capital and culture
- Audit and assurance
Vendors Define GRC Differently
Business and IT management can get caught up in the GRC confusion. Perhaps the most common problem is when vendors of services or software market their GRC capabilities. Managers should not assume the vendor is talking about GRC as defined by OCEG. Instead, they should ask what the vendor means by “GRC.”
In my experience, companies tend to define GRC to suit the strengths of their offerings. It is important to note that no single vendor has a solution that integrates, on a common platform, enabling technology for every GRC process (as defined by OCEG). Vendors have technology for one, or several, GRC processes, but not all. When vendors call, managers should make them focus on business processes and how they help the specific situation. Do not fall into the trap of limiting the discussion to the vendor’s agenda.
And So Do The Analysts
Unfortunately, the analysts that assess the quality of software products -- primarily Gartner and Forrester Research -- use definitions of GRC that are not only different from the OCEG but also from each other.
For example, Gartner defines GRC management as “the automation of the management, measurement, remediation, and reporting of controls and risks against objectives, in accordance with rules, regulations, standards and policies.” Forrester’s definition is close to the OCEG’s, but does not include areas such as performance management or strategy.
So What Do You Do?
Because GRC has so many different definitions, my advice is to come up with a definition that works for you and your company. My preference is the OCEG definition. When it comes to selecting software, I always advise companies to base their decisions on their own business needs and not somebody’s definition of “GRC software.”